Deleting candidates' personal data in TalentLyft, to be compliant with GDPR, is called Anonymization. By anonimyzing candidates, instead of just deleting them, you are keeping your analytics data. This means that anonymized candidates will still appear (as a number only) in your analytics, while the deleted ones won't. This enables you to generate correct reports even if candidates had to be deleted due to GDPR.

Before you start anonymizing candidates, make sure you have set up your GDPR compliance settings. When the GDPR compliance feature is enabled in your system, you can start anonimyzing the candidates whose personal data you need to delete to stay compliant with GDPR. 

TalentLyft will never delete or anonymize candidates automatically, we want to leave the final decision to you. However, TalentLyft will make it as easy as possible for you to do it. The system does that by taking into consideration your GDPR compliance settings and placing all candidates who match the anonymization conditions on the Needs to be deleted list.

All you need to do is define a recurring period (once a day, once a week or once a month) and anonymize all candidates on the Needs to be deleted list periodically according to the instructions below.

Generating the Needs to be deleted list

First of all, you should understand how the list is being generated. The following situations that will result in candidates being placed on the Needs to be deleted list:

  • Candidate's retention period consent has expired;
  • Candidate didn't give you the retention period consent and the job he/she applied for is archived;
  • Candidate didn't give you the retention period consent and the job he/she applied for is still active, but the inactivity period has expired.

If you want to get into the logic behind this a bit more, you can take a look at this article.

Accessing the Needs to be deleted list

To access the Needs to be delete list, go to Engage Candidates and open the Filter settings.

From the list of available filters, scroll to the GDPR filters section and select the Needs to be deleted filter and select the is true operator. 

The list of all candidates that need to be deleted/anonymized is now in front of you.

Anonymizing the candidates

You can now select all candidates on the list by ticking the checkbox in the upper left corner of the list. When the candidates are selected, click on the three dots in the upper right section of the screen and select the Anonymize option. The system will ask you if you are sure that you want to do this, and when you click Yes, candidates will be anonymized.

Be careful with this operation because anonymization is irreversible. To stay compliant on our end, we need to delete the candidates from our database immediately when you request so. That means that, if you anonymize candidates by mistake, not even we will be able to get them back.

Sourced and imported candidates

Sourced candidates and the ones imported from a legacy ATS are a special case. They will not appear on the Needs to be deleted list immediately, even though you don't have their Data policy and Retention period consents. This is because, in such cases, legitimate interest is the base for you to use their personal data. These candidates will be placed on the Needs to be deleted list when:

  • The job they applied for is archived or
  • The inactivity period has expired.

GDPR states that you can use someone's personal data if you have a legitimate interest. In this case, your legitimate interest is your intention to hire the person. However, because legitimate interest is not something that is strictly defined, we should avoid relying on it as a basis for personal data usage and retention. When you add candidates to your TalentLyft account, you should immediately ask them to give you their Privacy policy and Retention period consents according to the instructions in this article

Related articles: 

GDPR Compliance

How to send a consent request via email?

GDPR compliance - Sourced and Imported candidates

When do candidates get a "Candidate needs to be deleted" flag?

Extending retention period consents

Did this answer your question?